Kevin Davis is co-lead architect of Kava’s cross chain DeFi platform and helped build the core components of Kava’s CDP module.
The price of ETH dropped around 30% overnight on March 11th, as part of an all-asset sell off of truly epic proportions. The losses in ETH markets caused a protocol failure of the multi-collateral Dai system that resulted in 4 million DAI becoming un-collateralized. Due to this failure, the Maker system as a whole now has a debt of 4 million DAI and needs to be recapitalized. This article will go over what occurred at a technical level and attempt to figure out what went wrong.
Before discussing the specific failure, I would like to point out that, while the price action in equities markets due to COVID-19 may be perceived as a black swan type event, these types of price swings in crypto are relatively frequent. It is imperative that all protocol designers understand that falls of this magnitude can and will happen again, and that these types of events should be included as part of any modeling and stress testing exercise undertaken before releasing code of high financial value.
Multi-collateral Dai is backstopped by collateral auctions in which the collateral backing risky CDPs is sold in exchange for DAI, which is then burned. This recapitalizes the system and prevents DAI from becoming under-collateralized for long periods of time. After auction, any remaining collateral is returned to the CDP owner, minus a liquidation penalty. One feature of these auctions, as currently parameterized, is that they have rather short durations. After a bid, auctions expire in 10 minutes if no one else bids. In the event of a crash in the price of ETH, the ‘keepers’ or bots that bid on auctions, need a way to source DAI to bid on defaulted collateral. We see some evidence that there was a scramble to liquidity for DAI, as there was wild price fluctuations above a dollar in the DAI-USDC market in the early morning hours EST:
As a result of the price action in ETH markets, many CDP holders collateral value fell below the required 150% collateralization ratio, and their CDPs were seized. During normal times, we expect collateral auctions to clear with the price of the collateral at auction similar in value to the price of the same amount of collateral on exchanges. However, that didn’t happen during the market crash, and auctions were instead clearing with winning bids of less than DAI 0.01, basically giving the winners of auctions free ETH.
Maker and associated parties clearly had no plan in place for a spike in liquidations of this scale and ~$4 million in collateral auctions passed with no intervention. Most likely, the network of keepers had a small amount of DAI on hand, and when it ran out, they had no automated way to source liquidity, nor a manual alert that could respond in time.
To dispel a myth I’m seeing it crypto twitter, it seems unlikely that gas prices were a primary factor. Yes, gas prices were high, but the reference implementation of an auction keeper has a dynamic gas price mechanism built in. It is possible gas prices were effecting the marginal decisions of some keepers to participate in auctions, but this should not have resulted in auctions clearing at ~100% profit for those that did participate.
As a result of the failed collateral auctions, MakerDao has harmed the holders of the CDPs that got liquidated. They should have been assessed a liquidation penalty of 13%, and instead got hit with a 100% penalty. Further, they have created a situation where 4 million DAI are now not backed by collateral. This will trigger debt auctions, where MKR is minted to cover the shortfall, inflating all other MKR holders. Debt auctions have never happened before at this scale, and a zero-day exploit could be catastrophic if one exists. Even without an exploit, debt auctions may cause a downward spiral in the price of MKR, resulting in large holders selling ahead of auctions and large amounts of MKR being minted relative to its current market price. There is also the possibility that MKR holders decide to trigger emergency shutdown. I think this is a last resort and should not be used here, as it will cause a complete loss of confidence in DeFi, perhaps permanently.
While we are still early in terms of diagnosing root cause, this seems like a failure of planning that has put the nascent DeFi ecosystem at risk, and was largely preventable. Changes in the auction parameters could have increased the time window to respond and reduced the damage done. Further, 24 hour alert systems should have been in place, with real time ability to respond. MakerDao is an extremely well capitalized organization, and having these kinds of expectations is not unreasonable.
The rush to liquidity and associated spike in DAI prices during times of increased liquidations is cause for a more general concern, and should be investigated more thoroughly before specific mitigations are taken. Ultimately, if MakerDao had not stress tested the auction mechanism with realistic market scenarios, or didn’t have confidence in the auction mechanism working for a few million dollars worth of collateral, I cannot fathom how this system made it to production with hundreds of millions of dollars in collateral at stake. Serious internal reflection is needed.